Under HIPAA, limited information may be shared with law enforcement in certain circumstances. The more common examples seen at UofL include:
When Required by Law, such as a law that requires reporting of certain types of wounds (e.g., gunshot wounds) or in response to a court order or subpoena.
For Identification and Location Purposes, for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. The covered entity may disclose only the following information:
- Name and address;
- Date and place of birth;
- Social Security numbers;
- ABO blood type and rh factor
- Type of injury
- Date and time of treatment;
- Date and time of death, if applicable; and ;
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.
For the purposes of identification or location, the covered entity may not disclose any PHI related to the individual's DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue.
There are other less frequent circumstances where disclosures to law enforcement are permitted. HIPAA Privacy Guidance UD-11 (log-in required) provides additional information about this topic.
Court Order - A covered entity may disclose only the PHI expressly authorized by a court order.
Subpoena, Discovery Request, or Other Lawful Process - A covered entity may disclose PHI In response to a subpoena, discovery request, or other lawful process if it receives satisfactory assurance in writing from the party seeking the information that the party has made a good faith attempt to provide written notice to the individual and that the notice:
- Included sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court, and
- The time for the individual to raise objections to the court has elapsed, and either no objections were filed or the objections have been resolved by the court. HIPAA Privacy Guidance UD-10 (log-in required) provides additional information on this topic.
For the purpose of fundraising, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following PHI without an authorization:
- Demographic information, which includes name, address or other contact information, age, gender, insurance status,
- Date of Birth, and
- Dates of health care provided to an individual.
Any fundraising materials sent to an individual should include a clear and conspicuous description of how the individual may opt out of future fundraising communications. Covered entities must honor any opt outs received. HIPAA Privacy Guidance UD-19 (log-in required) provides additional information on this topic.
HIPAA regulates the PHI of decedents for 50 years after the date of death. However, HIPAA permits the disclosure of decedent information in certain circumstances and with certain limitations.
- Coroners and Medical Examiners - A covered entity may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.
- Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes - A covered entity may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.
HIPAA Privacy Guidance UD-12 (log-in required) provides additional information on this topic.
HIPAA permits the disclosure of PHI to Adult or Child Protective Services in some circumstances.
For Children - A covered entity may disclose PHI to a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. This exception is one of the “Public Health Activities” provided by HIPAA.
HIPAA Privacy Guidance UD-07 (log-in required) provides additional information on public health activities.
For Adults - If a covered entity reasonably believes that an individual is a victim of abuse, neglect, or domestic violence, it may disclose PHI of the individual to a public health authority or other government authority authorized by law to receive reports of abuse, neglect, or domestic violence in accordance with the following:
- To the extent the disclosure is required by law and is limited to the relevant requirements of the law;
- If the individual agrees to the disclosure; or
- To the extent the disclosure is expressly authorized by statute or regulation and:
- The covered entity believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
- If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.
If such a disclosure is made for adult abuse, neglect, or domestic violence scenarios, the covered entity has additional obligations for informing the individual of the reported disclosure. Please see HIPAA Privacy Guidance UD-08 (log-in required) for additional information on the adult abuse, neglect, and domestic violence reporting requirements.
Generally, an individual’s right to control PHI depends upon that same individual’s right to control the health care decision. HIPAA defers to state law for matters regarding parents and minors, but does provide two exceptions which may be used to address this question:
Disclosures to Family, Friends, and Others Involved in the Care of an Individual - HIPAA permits the disclosure to a person(s) involved in the current health care of an individual (e.g., family, friends, and others) PHI that is directly related to the person’s involvement in the current health of the individual or the payment related to that health care. This provision is not only for parents and minors but may also be applied to adult patients and their caregivers.
This provision, for example, allows a physician or staff to share details that might be important to the current care of the individual, such as a diagnosis or prognosis, or specific instructions for monitoring health or symptoms of the individual.
HIPAA Privacy Guidance UD-04 (log-in required) provides additional information on disclosures to Family, Friends, and Others involved in the care of individuals.
Personal Representative - This exception provides a broader scope of access and rights to information than the provision for family, friends, and others. It allows for access to the individual’s record, including the receipt of a complete copy of the record.
This provision says if, under applicable (state) law, a parent, guardian or other person acting in loco parentis has the authority to act on behalf of an unemancipated minor (child) in making decision related to health care, a covered entity must treat such person as the personal representative of the individual. This generally means PHI can be disclosed to the personal representative in the same way as if the individual (e.g., child) were making the request for access to PHI.
It’s important to note that the discretion to deny or provide access to a parent under HIPAA may only be exercised by a licensed health care professional who is exercising his/her professional judgment.
HIPAA Privacy Guidance UD-05 (log-in required) provides additional information on Personal Representatives.
If state or other law requires the school to have proof of immunization prior to enrollment, HIPAA allows the covered entity to disclose proof of immunization directly to a school, as long as the agreement (oral or written) of the parent/guardian is obtained and documented by the covered entity.
HIPAA permits a covered entity to release absentee/return-to school forms to the individual (child/parent). Such disclosure cannot be made directly to the school unless a valid HIPAA authorization is obtained from the parent/guardian.